[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

about draft-ietf-v6ops-cpe-simple-security-07

To: IPv6 Operations <v6ops@ops.ietf.org>, shim6@ietf.org
Subject: about draft-ietf-v6ops-cpe-simple-security-07
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 28 Jul 2009 16:01:11 +0200

[to v6ops and shim6, prune as necessary]

R11: Filter state records for generic upper-layer transportprotocolsMUST NOT be deleted or recycled until an idle timer not less thantwo

   minutes has expired without having forwarded a packet matching the
   state in some configurable amount of time.  By DEFAULT, the idle
   timer for such state records is five minutes.

That seems rather short: new transports would now have to sendkeepalives every 1.75 minutes. I'd say that a timeout MUST be at least11 minutes and preferably 124 minutes, like TCP.

If the timers for unknown transports are compatible with those neededfor SCTP and DCCP then implementers can forego handling thoseexplicitly but they'll still work.


3.2.4.  6to4 Tunnels

   Typical dual-stack IPv4/IPv6 residential gateways use private IPv4
   address ranges and network address/port translation on a single IPv4
   address assigned by the service provider.  The use of private
   addresses prevents interior hosts from using 6to4 [RFC3068] tunnels.

Usually the private addresses are on the inside and a public on theoutside (which will presumably start to change as IPv4 depletes butwill never completely go away) so 6to4 can work just fine in thosecases.


   The use of Level 3 Multihoming Shim
   Protocol for IPv6 (SHIM6) [I-D.ietf-shim6-proto] as a site multi-
   homing solution is not generally compatible with IPv6 simple
   security.

(Now RFC 5533.) Why? Assuming that there are two CPEs with each an ISPlink and advertising separate address ranges, then if the host sendsnormal packets over CPE A and then when the ISP connected to CPE Afails, the host can send protocol 140 signaling and encapsulated datapackets to CPE B. This should work. An optimization would be to allowincoming protocol 140 whenever there is communication between aninternal and external host already, whatever the type. (Without that,the shim6 signaling fails when the first host initiates it and onlysucceeds if the second host initiates it soon enough after.)

Follow-Ups:
- Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: draft-denis-icmpv6-generation-for-teredo
Next by Date: Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
Previous by thread: draft-denis-icmpv6-generation-for-teredo
Next by thread: Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
Index(es):
- Date
- Thread